Docker daemon publicly accessible

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1133-external-remote-services

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when multiple external connections are made to the port for the Docker daemon (2375 or 2376).

Strategy

Internet-accessible Docker daemons are a security risk. Authentication is not enabled by default: therefore, anyone can gain full access to the Docker daemon and, in turn, to the host system. Other internet-accessible services listening on these ports should be rare.

Triage and response

  1. Determine if the service running on the port is a Docker daemon.
  2. Review the downloaded images, running containers, and Docker logs for malicious activity.
  3. Move the Docker daemon to the default non-networked Unix socket. If you must expose the Docker daemon through a network socket, configure TLS authentication and restrict access with a security group.

This detection is based on data from Network Performance Monitoring.